CVE-2020-14118
An intent redirection vulnerability in the Mi App Store product. This vulnerability is caused by the Mi App Store does not verify the validity of the incoming data, can cause the app store to automatically download and install apps.
Source: CVE-2020-14118
CVE-2020-14121
A business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent installation.
Source: CVE-2020-14121
CVE-2020-14122
Some Xiaomi phones have information leakage vulnerabilities, and some of them may be able to forge a specific identity due to the lack of parameter verification, resulting in user information leakage.
Source: CVE-2020-14122
CVE-2020-14120
Some Xiaomi models have a vulnerability in a certain application. The vulnerability is caused by the lack of checksum when using a three-party application to pass in parameters, and attackers can induce users to install a malicious app and use the vulnerability to achieve elevated privileges, making the normal services of the system affected.
Source: CVE-2020-14120
CVE-2020-14117
A improper permission configuration vulnerability in Xiaomi Content Center APP. This vulnerability is caused by the lack of correct permission verification in the Xiaomi content center APP, and attackers can use this vulnerability to invoke the sensitive component functions of the Xiaomi content center APP.
Source: CVE-2020-14117
CVE-2020-14116
An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this.
Source: CVE-2020-14116
CVE-2022-24870
Combodo iTop is a web based IT Service Management tool. In 3.0.0 beta releases prior to 3.0.0 beta3 a malicious script can be injected in tooltips using iTop customization mechanism. This provides a stored cross site scripting attack vector to authorized users of the system. Users are advised to upgrade. There are no known workarounds for this issue.
Source: CVE-2022-24870
CVE-2022-24869
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can use ticket’s followups or setup login messages with a stylesheet link. This may allow for a cross site scripting attack vector. This issue is partially mitigated by cors security of browsers, though users are still advised to upgrade.
Source: CVE-2022-24869
CVE-2022-24868
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user viewing the avatar will be subject to a cross site scripting attack. Users of GLPI are advised to upgrade. Users unable to upgrade should disallow SVG avatars.
Source: CVE-2022-24868
CVE-2022-24867
GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. When you pass the config to the javascript, some entries are filtered out. The variable ldap_pass is not filtered and when you look at the source code of the rendered page, we can see the password for the root dn. Users are advised to upgrade. There is no known workaround for this issue.
Source: CVE-2022-24867